Google redirect, AV & IE damage

combofix

Copying it to the desktop from USB stick still gets "Access Denied"
IE now has an address bar. Pasting in the download url and pressing enter returns a blank page. Ditto with the techspot address. Clicking on the link in the email doesn't open IE.

Creating an Internet shortcut on the desktop with the address creates a Chrome icon. Chrome doesn't open when I double click the icon. Changing the HTML file association to IE doesn't change the icon to an IE one and it still doesn't open anything when double clicked.

The google search page still appears when IE is started but searches return a blank page. Sometimes search results appear but clicking on them produces "Internet Explorer cannot open the page"

Typing an IP address does open the page but navigation of the site is impossible and using the whole URL with just the .......com replaced by the ip doesn't work.

I can copy other things to the desktop. I'm mindful of your instruction not to rename combofix unless instructed so I haven't done that yet.

Junction log

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

No reparse points found.

Perms.txt

GrantPerms by Farbar
Ran by Russell Dobash at 2011-10-15 17:26:10

===============================================
\\?\c:\\System Volume Information\MountPointManagerRemoteDatabase

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)

Renaming combofix

I renamed it to whatever.dud on the USB stick while on the other machine but got the same error when I tried to copy it on to the desktop of the compromised machine.

Full error message:

Cannot copy Whatever: Access is Denied

Make sure the disk is not full or write-protected and that the file is not currently in use.

Just a thought but McShield is still running. Although I can't turn it off I could possibly uninstall Mcafee.

Renaming combofix

Renaming to whatever.exe results in the same message.

Safe mode wasn't working earlier but I will give it another try. It will have to be later as I have to go out now. Many thanks for your help so far.

Safe Mode

It still won't start in safe mode. It produces all the Multi(0), Rdisk(0) messages and then restarts.

It's coming up to midnight here so I'll have to pick this up tomorrow.

Kasspersky

Good morning Broni.

I ran the install from the USB stick. It showed the extraction window and then the green installation window with the progress bar. After a few minutes the progress bar stopped and it has now hung like that for 30 minutes. The only activity in task manager is again the McAfee modules.

copying combofix

Fraid not.

I tried various locations, my id, my docs, all users, windows etc. The behaviour is the same, the copying window appears for longer than normal, then the Access Denied message.

BTW the virus is obviously still active. When I put the USB drive in it takes ages for Windows Explorer to appear. When it does these four files appear on the USB, then disappear within 2 seconds then 10 seconds later reappear ad infinitum.
Copy of shortcut to (1)
Copy of shortcut to (2)
Copy of shortcut to (3)
Copy of shortcut to (4)
Curiously autorun.inf hasn't reappeared.

I could try running it from the USB drive but if it is preventing it being moved I don't hold much hope of running it.

Kaspersky

This time it stopped during the extraction saying the setup file was corrupted. I reformatted the USB stick and downloaded Kapersky again.

This time it installed, I made the settings changes and started the scan. One "Alarm" came up saying "A special disinfection process is required which demands the system reboot" I clicked "Yes perform the reboot." It continued finding about 19 infections and then spontaneously rebooted without giving me the chance to copy the report. On restart two minimised command prompts appeared, then the install window and then two EULA windows. In both of these there were transparent sections where buttons might have been. I may have clicked Start. A series of alarms came up in each of which I clicked Delete. The scan progress window appeared after the first couple of alarms. It then spontaneously rebooted again.

On reboot a message appeared 15909212.exe "Windows cannot access the specified Device, Path or File. The EULA window has appeared again complete with buttons this time.

Shall I Accept and Start?

Kaspersky

This time looked like a repeat of the first time with an Alarm inviting me to let it perform a special disinfection which I pressed Yes to. The smaller windows announcing infections found come and go too fast to get details but one of them had a view report link which I pressed. While the scan was still running the right hand pane displayed a list of messages. I selected all using control-A (habit) and tried to copy but there was no right-click. Tried control-C and then tried to paste into a txt but at this point a message about something not being a windows application came up and the machine spontaneously rebooted.

On restart four minimised command prompts with the following titles appeared
_uninst_22500242
_uninst_69380408
_uninst_1590912
_uninst_7234949
and two messages saying Windows cannot access the specified device, path, or file with the following titles
7234949.exe
1590912.exe

These are all still displayed and no other windows have appeared.

Shall I OK the messages?

It may have to be tomorrow but I can leave the machine running.

Thanks for helping out over your weekend.